.gitlab-ci.yml 示例

本文示例的k8s配置文件路径：

• 项目：project1
  • src/
  • k8s/
    • st-testing.yaml
    • staging.yaml
    • ka-testing.yaml
    • st-mock.yaml
    • ka-staging.yaml
  • .gitlab-ci.yml
  • Dockerfile
  • Dockerfile.dev
  • Dockerfile.prod
  • Dockerfile.testing
  • …

# 这里自定义字段，在后文中使用
variables:
  # drone.yml repo: "hbdev.wataru.com/wataru/fe-site-staging"
  # DOCKER_IMAGE_NAME是repo的地址中，除去域名的剩下部分
  # drone.yml - kubectl apply -f ./k8s/st-mock.yaml -n wataru
  # xx_K8S_NAMESPACE 是 -n 后的值，-n指 -namespace
  # xx_DEPLOYMENT_NAME 在drone.yml中的 - kubectl rollout restart deployment fe-site-mock -n wataru 查看 “deployment”后的“fe-site-mock”就是 deployment_name

  # 在harbor官网建立自己的仓库，比如示例：hbdev.wataru.com，在仓库下建立目录wataru,将本次镜像上传到https://hbdev.wataru.com/wataru/下
  # 在这里区分了三种版本：1、标准版（通用版本）2、私有化版（为专门的客户精细功能）3、演示版（数据都是虚拟的，只展示UI和交互）
  # 标准版：正式环境、预发环境、测试环境
  #   正式：harbor.wataru.com/wataru/fe-site:1.1.1
  #   预发：harbor.wataru.com/wataru/fe-site:staging
  #   测试：hbdev.wataru.com/wataru/fe-site:testing
  # 私有化版：正式环境、预发环境、测试环境
  #   正式：harbor.wataru.com/wataru/fe-site-staging:1.1.1-ka
  #   预发：hbdev.wataru.com/wataru/fe-site-staging:staging
  #   测试：hbdev.wataru.com/wataru/fe-site-ka-testing
  # 演示版：正式环境、预发环境、测试环境
  #   正式：harbor.wataru.com/wataru/fe-site-demo:1.1.1-demo
  #   测试：hbdev.wataru.com/wataru/fe-site-mock:testing
  DOCKER_IMAGE_NAME: wataru/fe-site # 通用的 docker 镜像名称地址
  STAGING_DOCKER_IMAGE_NAME: wataru/fe-site # 标准版预发环境 docker 镜像名称地址，"hbdev.wataru.com/wataru/fe-site"除去域名的剩下部分
  TESTING_DOCKER_IMAGE_NAME: wataru/fe/fe-site # 标准版测试环境 docker 镜像名称地址
  MOCK_DOCKER_IMAGE_NAME: wataru/fe-site-mock # 演示版测试环境 docker 镜像名称地址
  DEMO_DOCKER_IMAGE_NAME: wataru/fe-site-demo # 演示版正式环境 docker 镜像名称地址
  KA_DOCKER_IMAGE_NAME: wataru/fe-site-staging # 私有化交付 docker 镜像名称
  KA_DOCKER_IMAGE_NAME_TESTING: wataru/fe/fe-site-ka-testing # 私有化测试 docker 镜像名称

  # 在kubernetes中的命名空间namespace可以用来批量部署镜像，如果想有规划地部署，可以创建多个分类的namespace命名空间，在不同namespace部署不同的分类，比如预发环境（所有项目）/测试环境（所有项目），或者某个项目（包括xx环境/xx环境等）。
  # 在kubernetes中有多个命名空间namespace，namespace可以当做是某个xx环境,比如测试/预发/正式等。同一个环境的前后端的镜像，放在同一个namespace中。
  # 我的namespace命名空间是wataru，我用来做预发环境，deployment就是我要部署的镜像项目名称
  # namespace: wataru
  #   deployment: fe-site (网站),fe-mobile(移动端) 等，deployment下的名称是自己定义的，叫啥都行

  STAGING_K8S_NAMESPACE: wataru # 标准版预发环境命名空间，可在drone.yml中的 - kubectl apply -f ./k8s/ka-testing.yaml -n wataru，查看
  TESTING_K8S_NAMESPACE: wataru # 标准版测试环境命名空间，
  KA_TESTING_K8S_NAMESPACE: ka-testing # 私有化版-测试环境 K8S 命名空间，可在drone.yml中的 - kubectl apply -f ./k8s/ka-testing.yaml -n ka-testing，查看
  KA_STAGING_K8S_NAMESPACE: wataru-stable # 私有化版-预发环境 K8S 命名空间，可在drone.yml中的 - kubectl apply -f ./k8s/ka-staging.yaml -n wataru-stable 查看

  MOCK_TESTING_DEPLOYMENT_NAME: fe-site-mock # 演示版-测试环境-deployment的名称，跟deployment里要对上，要么yaml里用占位符,在drone.yml中的 - kubectl rollout restart deployment fe-site-mock -n wataru 查看 “deployment”后的“fe-site-mock”就是 deployment_name
  TESTING_DEPLOYMENT_NAME: fe-site # 标准版-测试环境-deployment的名称，跟kubernetes的namespace命名空间下的deployment里的名称要对上，要么yaml里用占位符
  STAGING_DEPLOYMENT_NAME: fe-site # 标准版-测试环境-deployment的名称，跟kubernetes的namespace命名空间下的deployment里的名称要对上，要么yaml里用占位符
  KA_TESTING_DEPLOYMENT_NAME: fe-site # 私有化版-测试环境-deployment名称， 跟kubernetes的namespace命名空间下的deployment里的名称要对上，要么yaml里用占位符
  KA_STAGING_DEPLOYMENT_NAME: fe-site # 私有化版-预发环境-deployment名称，跟kubernetes的namespace命名空间下的deployment里的名称要对上，要么yaml里用占位符

  # 打docker镜像的Dockerfile配置文件
  PRODUCTION_DOCKERFILE: Dockerfile # 正式环境打docker镜像的Dockerfile文件
  STAGING_DOCKERFILE: Dockerfile.rel # 预发/测试（开发过程不断更新镜像时用这个）环境打docker镜像的Dockerfile文件，这里没用上
  TESTING_DOCKERFILE: Dockerfile.testing # 测试环境打docker镜像的Dockerfile文件
  KA_TESTING_DOCKERFILE: Dockerfile.testing # 私有化版-测试环境-dockerfile打包文件
  KA_PRODUCTION_DOCKERFILE: Dockerfile # 私有化版-预发/正式环境-dockerfile打包文件

  STATIC_PUBLIC_PATH: /wataru/1.0 # 静态资源上传的地址oss

# 下面一般不需要动

stages:
  - check
  - build
  - deploy
  - test

# ========================= check =========================
opensca-check:
  stage: check
  tags:
    - "check"
  image: hbdev.wataru.com/dev/opensca:1.0.9
  script:
    - /usr/local/bin/opensca-scan.sh
  only:
    - merge_requests
    - master
    # - develop
    # - /^testing\/*/
    - /^staging.*/
    - /^feature\/*/
    - /^hotfix\/*/
sonarqube-check:
  stage: check
  tags:
    - "check"
  image: sonarsource/sonar-scanner-cli:4.6
  allow_failure: true # 能强制的时候把这个干掉
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "SONAR_${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    # 暂时不强求
    - |
      if [ -f "sonar-project.properties" ];then
      sonar-scanner -Dsonar.sources=. -Dsonar.branch.name=$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME
      fi
  only:
    - merge_requests
    - master
    - /^staging*/

# ========================= build =========================
docker-build:
  # Use the official docker image.
  image:
    name: docker:20.10.17
    #pull_policy: if-not-present
  stage: build
  tags:
    - "frontend" # golang: go后端项目,frontend：前端项目，php: PHP项目
  services:
    - docker:20.10.17-dind
  cache:
    key: "BUILD_DOCKER_${CI_JOB_NAME}"
    paths:
      - .docker/cache
  before_script:
    # HARBOR_REGISTRY：harbor仓库地址，HARBOR_USERNAME：harbor仓库用户名，HARBOR_PASSWORD：harbor仓库登录密码
    # PRODUCTION_HARBOR_REGISTRY
    # PRODUCTION_HARBOR_USERNAME
    # PRODUCTION_HARBOR_PASSWORD

    # TESTING_HARBOR_REGISTRY
    # TESTING_HARBOR_USERNAME
    # TESTING_HARBOR_PASSWORD

    # KA_TESTING_HARBOR_REGISTRY
    # KA_TESTING_HARBOR_USERNAME
    # KA_TESTING_HARBOR_PASSWORD

    # KA_HARBOR_REGISTRY
    # KA_HARBOR_USERNAME
    # KA_HARBOR_PASSWORD

    # CI_COMMIT_BRANCH：提交的分支
    - |
      HARBOR_REGISTRY=$PRODUCTION_HARBOR_REGISTRY
      HARBOR_USERNAME=$PRODUCTION_HARBOR_USERNAME
      HARBOR_PASSWORD=$PRODUCTION_HARBOR_PASSWORD
      if [[ "$CI_COMMIT_BRANCH" =~ ^testing* ]]; then
        echo "image will publish to testing repository!"
        HARBOR_REGISTRY=$TESTING_HARBOR_REGISTRY
        HARBOR_USERNAME=$TESTING_HARBOR_USERNAME
        HARBOR_PASSWORD=$TESTING_HARBOR_PASSWORD
      elif [[ "$CI_COMMIT_BRANCH" =~ ^ka-testing* ]]; then
        echo "image will publish to ka-testing repository!"
        HARBOR_REGISTRY=$KA_TESTING_HARBOR_REGISTRY
        HARBOR_USERNAME=$KA_TESTING_HARBOR_USERNAME
        HARBOR_PASSWORD=$KA_TESTING_HARBOR_PASSWORD
      elif [[ "$CI_COMMIT_BRANCH" =~ ^ka-staging* ]]; then
        echo "image will publish to ka-staging repository!"
        HARBOR_REGISTRY=$KA_HARBOR_REGISTRY
        HARBOR_USERNAME=$KA_HARBOR_USERNAME
        HARBOR_PASSWORD=$KA_HARBOR_PASSWORD
      fi
    - docker login -u "$HARBOR_USERNAME" -p "$HARBOR_PASSWORD" $HARBOR_REGISTRY
  script:
    # CI_COMMIT_REF_SLUG：当前分支或者tag，格式是：v1-1-1-ka
    # CI_COMMIT_TAG：打的tag名称，格式是：v1.1.1-ka
    # tagName=${CI_COMMIT_REF_SLUG//-/.}，表示用 . 替换掉 - ，v1-1-1-ka变成 v1.1.1.ka
    # 使用tagName=${CI_COMMIT_TAG},，然后把v干掉
    # tag=":${tagName//v/}"，表示空字符替换v，也就是把v删掉
    - |
      DOCKERFILE_NAME=$PRODUCTION_DOCKERFILE
      if [[ "$CI_COMMIT_BRANCH" =~ ^st-testing* ]]; then
        tag=":testing" # 标准测试：hbdev.wataru.com/wataru/fe-site:testing，tag是fe-site:testing的“:testing”
        DOCKERFILE_NAME=$TESTING_DOCKERFILE
      elif [[ "$CI_COMMIT_BRANCH" =~ ^staging* ]]; then
        tag=":staging" # 标准预发：hbdev.wataru.com/wataru/fe-site:staging，tag是fe-site:staging的“:staging”
        DOCKER_IMAGE_NAME=$STAGING_DOCKER_IMAGE_NAME
      elif [[ "$CI_COMMIT_BRANCH" =~ ^ka-testing$ ]]; then # 分支名 ^X：以X开头，X$:以X结束，^ka-testing$，以ka-testing开头和结束，即精确匹配ka-testing
        tag="" # 私有化测试：hbdev.wataru.com/wataru/fe-site-ka-testing，没有“:xxx”，tag是""，默认是latest
        DOCKER_IMAGE_NAME=$KA_DOCKER_IMAGE_NAME_TESTING
      elif [[ "$CI_COMMIT_BRANCH" =~ ^st-mock$ ]]; then
        tag=""
        DOCKER_IMAGE_NAME=$MOCK_DOCKER_IMAGE_NAME
      elif [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
        tag=""
        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'" # 打印出CI_DEFAULT_BRANCH
      else
        # 你在gitlab上打的tag标签是v1.1.1-ka
        # tagName=${CI_COMMIT_REF_SLUG//-/.}，CI_COMMIT_REF_SLUG：当前分支或者tag标签，格式是：v1-1-1-ka
        tagName=${CI_COMMIT_TAG} # CI_COMMIT_TAG的格式是：v1.1.1-ka
        tag=":${tagName//v/}" # tag=":${tagName//v/}"，表示空字符替换v，也就是把v删掉
        if [[ "$CI_COMMIT_TAG" =~ .*-demo$ ]]; then
          DOCKER_IMAGE_NAME=$DEMO_DOCKER_IMAGE_NAME
        fi
        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
      fi
      echo "prepared to build docker image: ${HARBOR_REGISTRY}/${DOCKER_IMAGE_NAME}${tag}"
    - docker build . -t "${HARBOR_REGISTRY}/${DOCKER_IMAGE_NAME}${tag}" -f $DOCKERFILE_NAME --build-arg OSS_ACCESS_KEY="${STATIC_OSS_ACCESS_KEY}" --build-arg OSS_ACCESS_SECRET="${STATIC_OSS_ACCESS_SECRET}"  --build-arg OSS_ENDPOINT="${STATIC_OSS_ENDPOINT}"
    - docker push "${HARBOR_REGISTRY}/${DOCKER_IMAGE_NAME}${tag}"
  # Run this job in a branch where a Dockerfile exists
  only:
    - tags
    #- master
    - /^st-testing.*/
    - /^testing.*/
    - /^staging.*/
    - /^ka-staging.*/
    - /^ka-testing.*/
    - /^ka-testing$/
    - /^st-mock$/

# ========================= deploy =========================
deploy-k8s:
  stage: deploy
  tags:
    - "public"
  image: meltwaterfoundation/drone-kubectl:1.18
  script:
    # drone.yml - kubectl apply -f ./k8s/st-mock.yaml -n wataru
    # 对应这里的 - kubectl apply -f ./k8s/${conf}.yaml -n $ns 

    # TESTING_K8S_SERVER、TESTING_K8S_TOKEN 等 x_K8S_TOKEN、x_K8S_SERVER 是在gitlab配置的常量，这些常量是 kubernetes 上的服务器地址和登录token
    # 目前已知的有：
    # TESTING_K8S_SERVER
    # TESTING_K8S_TOKEN

    # STAGING_K8S_SERVER
    # STAGING_K8S_TOKEN

    # KA_TESTING_K8S_SERVER
    # KA_TESTING_K8S_TOKEN
    - |
      if [[ "$CI_COMMIT_BRANCH" =~ ^st-testing* ]]; then
        conf="st-testing"
        ns=$TESTING_K8S_NAMESPACE
        svr=$TESTING_K8S_SERVER
        token=$TESTING_K8S_TOKEN
        deployment=$TESTING_DEPLOYMENT_NAME
      elif [[ "$CI_COMMIT_BRANCH" =~ ^staging* ]]; then
        conf="staging"
        ns=$STAGING_K8S_NAMESPACE
        svr=$STAGING_K8S_SERVER
        token=$STAGING_K8S_TOKEN
        deployment=$STAGING_DEPLOYMENT_NAME
      elif [[ "$CI_COMMIT_BRANCH" =~ ^ka-staging* ]]; then
        conf="ka-staging"
        ns=$KA_STAGING_K8S_NAMESPACE
        svr=$KA_STAGING_K8S_SERVER
        token=$KA_STAGING_K8S_TOKEN
        deployment=$KA_STAGING_DEPLOYMENT_NAME
      elif [[ "$CI_COMMIT_BRANCH" =~ ^ka-testing* ]]; then
        conf="ka-testing"
        ns=$KA_TESTING_K8S_NAMESPACE
        svr=$KA_TESTING_K8S_SERVER
        token=$KA_TESTING_K8S_TOKEN
        deployment=$KA_TESTING_DEPLOYMENT_NAME
      elif [[ "$CI_COMMIT_BRANCH" =~ ^st-mock* ]]; then
        conf="st-mock"
        ns=$TESTING_K8S_NAMESPACE
        svr=$TESTING_K8S_SERVER
        token=$TESTING_K8S_TOKEN
        deployment=$MOCK_TESTING_DEPLOYMENT_NAME
      else
        echo "not a valid branch deploy by gitlab-ci"
        exit -1
      fi
      echo "enter deploy  $deployment  -n $ns"
      kubectl config set-cluster kubernetes --insecure-skip-tls-verify=true --server=$svr
      kubectl config set-credentials admin --token=$token
      kubectl config set-context deploy --cluster=kubernetes --user=admin
      kubectl config use-context deploy
      kubectl apply -f ./k8s/${conf}.yaml -n $ns # 只有这里用的配置文件不一样
      kubectl rollout restart deployment $deployment -n $ns
  only:
    - /^st-testing.*/
    - /^staging.*/
    - /^testing.*/
    - /^ka-staging.*/
    - /^ka-testing.*/
    - /^ka-testing$/
    - /^st-mock$/

# ========================= test =========================
# sql注入扫描
# sqlmap:
#   stage: test
#   tags:
#     - "testing"
#     - "security"
#   image:
#     name: "googlesky/sqlmap:latest"
#     #pull_policy: if-not-present
#   before_script:
#     - ｜
#        # 如果服务需要授权，想办法给sqlmap一个时间足够长的token
#   script:
#     - sqlmap -r tests/sqlmap/
#   only:
#     - /^testing*/  # sqlmap只能在测试环境执行

# http接口测试
# httptest:
#   stage: test
#   tags:
#     - "testing"
#   image:
#     name: "hbdev.wataru.com/dev/apifox-cli:latest"
#     #pull_policy: if-not-present
#   before_script:
#     - ｜
#        # 如果服务需要授权...
#   script:
#     - apifox-cli -f
#   only:
#     - /^testing*/

GitLab CI/CD的预置变量

扩展阅读：

《GitLab CI/CD 流水线配置 pipeline configuration reference》：https://gitlab.apachecn.org/#/docs/199
《GitLab CI/CD》：https://gitlab.apachecn.org/#/docs/198
《GitLab CI/CD预置变量》：https://gitlab.apachecn.org/#/docs/221
《GitLab CI/CD》英文原文文档：https://docs.gitlab.com/ee/ci/variables/index.html#for-an-instance